To enable DNSSEC, the zone must be digitally signed by your DNS server. During signing, you create a Delegation of Signing (DS) record. Each DS record contains information the registry uses to authenticate using DNSSEC. You use the DS Record and the information it contains to enable DNSSEC for your zone.

You can define up to 10 DS records for each domain name.

Note: For domain names with a .eu extension, you can define a maximum of four DS records. For domain names with a .uk extension (.co.uk, .me.uk, and .org.uk), you can define a maximum of eight DS records.

The domain name extension determines the DNSSEC information you supply for each domain name. Here are the available DNSSEC fields and their usage by domain name extension:

DNSSEC Field

.com / .net / .biz / .us / .uk / .co

.org

.eu

Key Tag

Required

Required

Required

Algorithm

Required

Required

Required

Digest Type

Required

Required

Required

Max Signature Life

Not Supported

Optional

Not Supported

Flags

Not Supported

Not Supported

Required

Protocol

Not Supported

Not Supported

Required

Digest

Required

Required

Required

Public Key

Not Supported

Not Supported

Required

The following information is required to create a DS record for your domain name:

Key Tag — This is an integer value less than 65536 used to identify the DNSSEC record for the domain name.

Algorithm — This identifies the cryptographic algorithm used to generate the signature.

Digest Type — This identifies the algorithm used to construct the digest.

Max Signature Life — This field specifies the validity period for the signature. The value is expressed in seconds. You can use any integer value larger than zero.

Flags — This identifies the key type; either a Zone-Signing Key or a Key-Signing Key.

Protocol — This value identifies the protocol to be used for the electronic key matchup.

Digest — This is the digest integer value.

Public Key — Registries use this value to encrypt DS records. Decryption requires a matching public key.